Imagine we make a locked box that has two different keys that might open it. I share one with you, and keep one key.

Later, you receive a locked box and are told it has a message from me. But when you insert your key, the box does not unlock. You meet up with me and show it to me. I’m confused: I didn’t send you any boxes. I try my key, and the box does not unlock. There’s only one explanation: someone lied to you about who sent you the box.

That’s more or less how digital signatures work.

An “encryption algorithm” is math that needs two inputs: a “key” used by the math and “plaintext” representing the data you want to encrypt. PGP is a kind of algorithm that uses “shared keys”. That means its math is designed so there are two keys: a “public key” and a “private key”, and if you “lock” the data using one key, you can “unlock” that data using the other key. (In this case, “lock” means it gets garbled and reorganized so much a person who has it can’t tell what it originally was.) That’s basically the lockbox I just described. I have a “private key” that I keep secret from everyone else, but I also have a “public key” I let other people have. If I lock something with my private key, they can unlock it with my public key. If they lock something with my public key, my private key is the only thing that unlocks it.

Signatures use encryption, but don’t have to encrypt the data they’re protecting. Suppose I want to send you an email, and I want you to be SURE the email came from me. It’s not so private I want to encrypt it, but it’s important to know it really came from me.

I can do some quick, simple math on the email to get a “checksum”. Let’s simplify that and say I just make a new piece of text out of the first letter of every word in the email. Then I can encrypt that new text with my private key, and attach it to the email. This attachment is my “signature”.

Now when you get the email, you check my “signature”. You use my public key to “unlock” the data. You see it’s a string of characters, and that string is the first letters of every word in the email. Now you know two things:

1. The email HAD to have come from me, because if my public key “unlocked” the data it could only have been “locked” with MY private key, which I keep secret.
2. If someone has tampered with the email, they had to be VERY careful to not change the first letters of the words, so it’s very unlikely it’s been tampered with.

This is more or less how PGP signatures work. The “keys” are VERY big numbers, like “I have a thousand digits” big, so it’s ridiculously unlikely someone can just guess a person’s private key. There’s not a reversible relationship between the public key and private key, so knowing the public key doesn’t help people guess a private key. The “checksum” used is a lot more complicated than “the first letter of every word”, so the signature gives a much better confidence the message has not been tampered with.

The only way it breaks is if someone manages to steal a private key and the owner doesn’t know.